Monitoring windoews eventlog kibana

35 views
Skip to first unread message

sant...@gmail.com

unread,
Jun 17, 2016, 12:19:03 PM6/17/16
to ossec-list
Hello.
I installed ossec-wazzuh with kibana on linux server
i want to monitoring winddows eventlog from 2 active directory servers.
I have configured agent  in linux for this servers and install ossec agent in windows server

The configuration agent from windows is
<ossec_config>
   <client>
      <server-ip>192.168.12.14</server-ip>
   </client>
 </ossec_config>

<localfile>
    <location>Application</location>
    <log_format>eventlog</log_format>
  </localfile>

  <localfile>
    <location>Security</location>
    <log_format>eventlog</log_format>
  </localfile>

  <localfile>
    <location>System</location>
    <log_format>eventlog</log_format>
  </localfile>

I recibe this log in kibana:

{\"rule\":{\"level\":3,\"comment\":\"Windows User Logoff.\",\"sidid\":18149,\"firedtimes\":1,\"groups\":[\"windows\"],\"PCI_DSS\":[\"10.2.5\"]},\"dstuser\":\"Administrador\",\"full_log\":\"2016 Jun 07 10:33:48 WinEvtLog: Security: AUDIT_SUCCESS(551): Security: Administrador: PC-XP: PC-XP: Cierre de sesi\xF3n iniciada por el usuario:     Nombre usuario: Administrador     Dominio:  DOM.local     Id. de inicio de sesi\xF3n:  (0x0,0xb73d9)    \",\"id\":\"551\",\"status\":\"AUDIT_SUCCESS\",\"data\":\"Security\",\"systemname\":\"PC-XP\",\"decoder\":{\"name\":\"windows\"},\"hostname\":\"agent01\",\"agentip\":\"any\",\"timestamp\":\"2016 Jun 07 10:33:51\",\"location\":\"WinEvtLog\"}


Please, how can i do for add daskboard in kibana graphic interface 
for the eventolog monitoring?

Pedro S

unread,
Jun 17, 2016, 9:12:47 PM6/17/16
to ossec-list

Hi,

I am not sure I understood what you need, do have Wazuh already installed and working? did you complete all the documentation steps so you can have all the out of the box dashboards?

I can see you are receiving Windows events, do you need to create a special and dedicated dashboard for Windows Events ?

You will need to use some filters in Kibana, for example:

Get all the windows events: rule.groups: windows
Get windows auth fail: rule.groups: win_authentication_failed

Playing a little bit with that you can made this up in ten minutes (click here to open it in other window):


Maybe you can get some info in the official Kibana dashboards docs.

If you need some help creating the dashboard just tell us or maybe we can talk through another channel (these are OSSEC lists :D)


Best regards,

Pedro S:
Reply all
Reply to author
Forward
0 new messages